Saturday, 19 March 2016

It's weird how 'bottle of water' and 'water bottle' typically mean two different things.

Some commands and stuff for the Raspberry Pi, But also can be used on other Linux boxes too.

 Securing your box a little bit more. Simply copy and paste these.

 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 0 > /proc/sys/net/ipv4/ip_forward

# PREVENT YOU SYSTEM FROM ANSWERING ICMP ECHO REQUESTS
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# DROP ICMP ECHO-REQUEST MESSAGES SENT TO BROADCAST OR MULTICAST ADDRESSES
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# DONT ACCEPT ICMP REDIRECT MESSAGES
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# DONT SEND ICMP REDIRECT MESSAGES
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# DROP SOURCE ROUTED PACKETS
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# ENABLE TCP SYN COOKIE PROTECTION FROM SYN FLOODS
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# ENABLE SOURCE ADDRESS SPOOFING PROTECTION
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# LOG PACKETS WITH IMPOSSIBLE ADDRESSES (DUE TO WRONG ROUTES) ON YOUR NETWORK
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# DISABLE IPV4 FORWARDING
echo 0 > /proc/sys/net/ipv4/ip_forward



Posted by at No comments:

Sunday, 7 February 2016

Block Windows 10 "Telemetry" with Cisco ACL's

Following on from the in-depth post here... https://voat.co/v/technology/comments/835741

I have created a Cisco ACL that blocks all traffic to the IP's listed. 

Simply copy and paste this and apply this to your Interfaces on a Cisco Device. 

access-list 101 deny ip any host 13.107.3.128
access-list 101 deny ip any host 23.9.123.27
access-list 101 deny ip any host 23.67.60.65
access-list 101 deny ip any host 23.67.60.73
access-list 101 deny ip any host 23.67.60.97
access-list 101 deny ip any host 23.74.8.80
access-list 101 deny ip any host 23.74.8.99
access-list 101 deny ip any host 23.74.9.198
access-list 101 deny ip any host 23.74.9.217
access-list 101 deny ip any host 23.96.212.225
access-list 101 deny ip any host 23.101.115.193
access-list 101 deny ip any host 23.101.156.198
access-list 101 deny ip any host 23.101.187.68
access-list 101 deny ip any host 23.102.17.214
access-list 101 deny ip any host 23.193.225.197
access-list 101 deny ip any host 23.193.230.88
access-list 101 deny ip any host 23.193.236.70
access-list 101 deny ip any host 23.193.238.90
access-list 101 deny ip any host 23.193.251.132
access-list 101 deny ip any host 23.210.5.16
access-list 101 deny ip any host 23.210.48.42
access-list 101 deny ip any host 23.210.63.75
access-list 101 deny ip any host 23.217.138.11
access-list 101 deny ip any host 23.217.138.18
access-list 101 deny ip any host 23.217.138.25
access-list 101 deny ip any host 23.217.138.43
access-list 101 deny ip any host 23.217.138.90
access-list 101 deny ip any host 23.217.138.97
access-list 101 deny ip any host 23.217.138.122
access-list 101 deny ip any host 40.117.145.132
access-list 101 deny ip any host 64.4.54.253
access-list 101 deny ip any host 64.4.54.254
access-list 101 deny ip any host 65.52.108.27
access-list 101 deny ip any host 65.52.108.29
access-list 101 deny ip any host 65.52.108.92
access-list 101 deny ip any host 65.52.108.94
access-list 101 deny ip any host 65.52.108.103
access-list 101 deny ip any host 65.52.108.252
access-list 101 deny ip any host 65.52.236.160
access-list 101 deny ip any host 65.55.44.108
access-list 101 deny ip any host 65.55.113.13
access-list 101 deny ip any host 65.55.138.111
access-list 101 deny ip any host 65.55.138.126
access-list 101 deny ip any host 65.55.252.43
access-list 101 deny ip any host 72.21.81.200
access-list 101 deny ip any host 72.21.91.8
access-list 101 deny ip any host 94.245.121.253
access-list 101 deny ip any host 94.245.121.254
access-list 101 deny ip any host 104.73.92.149
access-list 101 deny ip any host 104.73.138.217
access-list 101 deny ip any host 104.73.143.160
access-list 101 deny ip any host 104.73.153.9
access-list 101 deny ip any host 104.73.160.16
access-list 101 deny ip any host 104.73.160.51
access-list 101 deny ip any host 104.73.160.58
access-list 101 deny ip any host 104.91.166.82
access-list 101 deny ip any host 104.91.188.21
access-list 101 deny ip any host 104.208.28.54
access-list 101 deny ip any host 131.253.40.53
access-list 101 deny ip any host 131.253.40.59
access-list 101 deny ip any host 131.253.61.66
access-list 101 deny ip any host 131.253.61.82
access-list 101 deny ip any host 131.253.61.84
access-list 101 deny ip any host 131.253.61.96
access-list 101 deny ip any host 131.253.61.100
access-list 101 deny ip any host 134.170.51.246
access-list 101 deny ip any host 134.170.51.247
access-list 101 deny ip any host 134.170.58.118
access-list 101 deny ip any host 134.170.58.190
access-list 101 deny ip any host 134.170.115.62
access-list 101 deny ip any host 134.170.165.251
access-list 101 deny ip any host 134.170.165.253
access-list 101 deny ip any host 134.170.179.87
access-list 101 deny ip any host 137.116.74.190
access-list 101 deny ip any host 157.55.240.220
access-list 101 deny ip any host 157.56.77.138
access-list 101 deny ip any host 157.56.77.139
access-list 101 deny ip any host 157.56.96.58
access-list 101 deny ip any host 157.56.96.123
access-list 101 deny ip any host 157.56.144.215
access-list 101 deny ip any host 157.56.144.216
access-list 101 deny ip any host 191.232.80.58
access-list 101 deny ip any host 198.41.214.183
access-list 101 deny ip any host 198.41.214.184
access-list 101 deny ip any host 198.41.214.186
access-list 101 deny ip any host 198.41.214.187
access-list 101 deny ip any host 198.41.215.182
access-list 101 deny ip any host 198.41.215.185
access-list 101 deny ip any host 198.41.215.186
access-list 101 deny ip any host 204.79.197.200
access-list 101 deny ip any host 207.46.7.252
access-list 101 deny ip any host 207.46.101.29
access-list 101 deny ip any host 207.46.114.58
access-list 101 permit ip any any
Posted by at No comments:

Saturday, 16 January 2016

Remove Secret Cisco History

show history all <------- You will be surprised what is actually there

 try these commands.
Router(config)#line vty 0 4
Router(config-line)#no history
Router(config)#line console 0
Router(config-line)#no history

Posted by at No comments:

Monday, 4 January 2016

2016 Stock Pick List

Company name                    Symbol  Currency    P/E ratio
Tate & Lyle PLC                 TATE    GBX         147.87
Sceptre Leisure Plc.            SCEL    GBX         147.62
Easyhotel PLC                   EZH     GBX         141.48
Premier Farnell plc             PFLB    GBX         141.03
Severfield PLC                  SFR     GBX         139.98
Fresnillo Plc                   FRES    GBX         139.36
DM PLC                          DMP     GBX         131.38
Scientific Digital Imaging plc  SDI     GBX         129.41
Brunner Investment Trust Plc    44GL    GBX         127
Premier Farnell plc             PFLA    GBX         126.22
Crimson Tide plc                TIDE    GBX         123.46
Barclays PLC                    BARC    GBX         122.63
Mortice Limited                 MORT    GBX         122.3
Immedia Group PLC               IME     GBX         120.37
Lowland Investment Company plc  LWI     GBX         114.64
Vectura Group PLC               VEC     GBX         114.24
Consort Medical plc             CSRT    GBX         108.83
Value and Income Trust plc      VIN     GBX         108.41
Digital Globe Services Ltd      DGS     GBX         107.53
Tanfield Group plc              TAN     GBX         106.16
 
If you found this useful you can always donate...........15nut3xGxhkE8Urc4KXwCsNbi72dWPn1cQ

Content is intended to be used and must be used for informational purposes only. It is very important to do your own analysis before making any investment based on your own personal circumstances. You should take independent financial advice from a professional in connection with, or independently research and verify, any information that you find on any Website and wish to rely upon, whether for the purpose of making an investment decision or otherwise.



Posted by at No comments:

Thursday, 24 September 2015

Tor is Broken

For a long time in my mind there's been no doubt that Tor is broken, at least with respect to the powers available to the United States and its allies. Think about it. There are no where near a million Tor nodes and even fewer exit nodes, and a million servers is a rounding error in the DoD black budget for a year.

 Sure, non DoD Tor nodes exist, but what % of them are p0wned? (Zero Day Exploit) I'll hazard a guess; just that % required to make it statistically implausible that, combined with traffic analysis, context gleaned from exit nodes a handful of zero-days etc. etc. no one can use Tor and expect sustained anonymity from the government.

 I actually think that's a good thing. Hear me out. For the general Tor user who just wants their ISP , nosy Shark Wire aware neighbor, political opponents, large corporations, website owners land various databrokers to fuck off, they have what they want For dissidents in oppressive nations, those nations probably can't muster the resources to de-anonymize Tor users. For very bad people who want to do very bad things, we can get them, with some effort.

 I know this is a minority opinion, but I think that the opposing opinion is regressive. Once, it wasn't possible for a small group of non-nation-state individuals to wreak mayhem on millions of people at once.

 Once, the amount badness that could be achieved by Bad Guys was a trade-off between the number of people the Bad Guys wanted to effect, the number of people the Bad Guys could enlist to help them and the degree of severity of the Badness itself. Not any more. This changes everything.

 We are living more and more in a world in which a few or even one really fucked up person can reach out and kill. This is nothing but the advancement of technology, and it's not going to stop. That means the power of small groups gets larger and broader even as the size of that group spiral down to one.

 How are we going to counter this general phenomena? I agree, that giving any government unchecked, unobservable, unlimited powers is always a bad idea. (Ironcially, I believe this because of the actions members of administrations who profess to want to "get government off our backs" and told us "government isn't the solution, it's the problem"- Oliver North, James Secord, Dick Cheney, Alberto Gonzales etc etc. )

 But in the face of this hypothetical and not-always hypothetical threat we still have the facts on the ground with respect to advancing technologies and the leverage it gives just anyone.

 I don't think the answer is to limit the power of government. We need that power to exist. I think the answer lies in the people being able to hold the government accountable and their actions rendered transparent to a degree that would shock most people today, both in and out of government. We need to radically re-think the national security 3rd-rail issues like national security classifications, clearances, Presidential directives, etc. etc.

 It will tear this country apart if the government continues to do what it knows it needs to do in order to avert terrorism and societal chaos and the people continue to feel like they have no faith in the integrity of the processes and powers of the government- that it could at any moment turn the death ray on them, and probably will. That whole dynamic, the whole world view needs to be addressed and not just addressed but actually resolved by some radical out of the box thinking no one had done yet.

 We can have both security and freedom, but it's not going to just arise naturally by continuing on with the status quo conceptual categories we are using now.
Posted by at No comments:

Friday, 18 September 2015

"Love is a snowmobile racing across the tundra and then suddenly it flips over, pinning you underneath. At night, the ice weasels come."

IMPORTANT ONE IS GROUP POLICY (gpedit.msc):

Go to Computer Configuration, Administrative Templates, System
Internet Communication Management, Internet Communication Settings

ENABLE (to turn it on, it is a disabler)

"Turn off Windows Customer Experience Improvement Program"

---

TO REMOVE THE BOGUS OPTIONAL TELEMETRY HOTFIXES MANUALLY:

Open command prompt
Type powershell
issue these commands

---

TO SEE WHAT ONES ARE INSTALLED:

get-hotfix -id KB3035583, KB2952664,KB2976978,KB3021917,KB3044374,KB2990214

---

TO UNINSTALL THEM (these for sure, per url next below):

wusa /uninstall /kb:3035583
wusa /uninstall /kb:2952664
wusa /uninstall /kb:2976978
wusa /uninstall /kb:3021917
wusa /uninstall /kb:3044374
wusa /uninstall /kb:2990214

per http://www.ghacks.net/2015/04/... [ghacks.net]

---

DESCRIPTIONS OF EACH (these uninstalled properly):

KB3068708 (Telemetry)
KB3075249 (Telemetry)
KB3080149 (Telemetry)

KB3022345 (Telemetry)
KB2977759 (Windows 10 Upgrade preparation)
KB3021917 (Windows 10 Upgrade preparatioon + Telemetry)
KB3035583 (Windows 10 upgrade preparation)

---

I GOT "NOT INSTALLED ON THIS COMPUTER" ON THESE INITIALLY SINCE I HAD IE11 installed (PROBABLY ONES FOR IE9/10/11):

KB3075249
KB3080149
KB2505438
* KB2670838 (See IE 9/10/11 notes below)
KB3044374
KB2990214 (Windows 10 Upgrade preparation)
KB2505438 (Although it claims to fix performance issues, it often breaks fonts)
KB2976978 (Windows 10 Upgrade preparation)

---

I GOT "NOT INSTALLED ON THIS COMPUTER" ON THESE (*PRIOR* TO PULLING KB2670838 which is IE 11):

* KB2670838 (This update often breaks AERO on Windows 7 and makes some fonts on websites fuzzy. A Windows 7 specific update only
                        (do not install IE10 or 11 otherwise it will be bundled with them, IE9 is the max version you should install to avoid this).

THESE RE-APPEAR AFTER UNINSTALLING IE11 RIGHT ON RESTARTING & CHECKING WINDOWS UPDATE:

* KB2952664 (Windows 10 Upgrade preparation prior to IE9/10/11 install)
* KB3021917 (Windows 10 Upgrade preparation prior to IE9/10/11 install)
* KB3068708 (Windows 10 Upgrade preparation prior to IE9/10/11 install)
* KB3092627 (Windows 10 Upgrade preparation prior to IE9/10/11 install)

---

run cmd as administrator

sc stop Diagtrack
sc delete Diagtrack

---

*Task Scheduler Library:

Everything under "Application Experience"
Everything under "Autochk"
Everything under "Customer Experience Improvement Program"
Under "Disk Diagnostic" only the "Microsoft-Windows-DiskDiagnosticDataCollector"
Under "Maintenance" "WinSAT"
"Media Center" and click the "status" column, then select all non-disabled entries and disable them.

*services.msc:

"Remote Registry" to "Disabled" instead of "Manual".
Posted by at No comments:

Friday, 26 June 2015

How secure is your bank?


The more traditional banks, do all offer internet banking (when they can keep their IT working - Yes I’m looking at you RBS Group) and all offer “helpful” tips about how you can be secure online… from installing software like Trusteer Rapport or Trust Defender, to keeping your system and security software up-to-date.

 However, your connection with your banks online banking service, can only be as secure as they make it. The question is… with more and more of us using online banking, is your bank doing everything it can to make those transactions secure?

 To test this, I have been using a tool provided by SSL Labs, called the SSL Server Test.  It inspects the configuration of any public SSL web server (such as those used by banks for their online banking services) and grades them from A+ - F.

 From the results below you will see that security implementation is hit and miss with only one bank scoring higher than B (mainly because they maintain backward compatibility).

 Most UK banks do not seem to support TLS 1.1 or 1.2 despite those standards being ratified in 2006 and 2008 respectively and being supported in all modern browsers.  Some banks still support the very antiquated and insecure SSL3.0 protocol.

 The problem is that everyone stuck on Windows XP and still using IE6 (IE: Mum & Dad) do not have support for TLS1.0+.  It is the desire to support of these antiquated OS’s and browsers which has resulted in most banks also supporting RC4 which SSL Labs have described as a “lesser evil” for those antiquated browsers which only support SSL3.0 or TLS1.0.

 My view is that they should just be left without support… after all, they could install firefox… Or upgrade their machine… But as there are no publicly-known feasible attacks against RC4 I suppose it is not unreasonable to keep that cipher alive for a little longer, although Mozilla and Microsoft recommend disabling it and TLS1.3 will ban it from use in the standard.

There will shortly be a new “challenger” bank called Atom which, will not have any physical branches or ATM’s, customers interaction with their bank will be entirely through a mobile phone app.

 If there are any banks which I have missed, let me know and I’ll add them in (All scores correct as of 26 June)

 The Winner!

 Virgin Money - A
https://www.ssllabs.com/ssltest/analyze.html?d=uk.virginmoney.com
Everyone else seemly need to copy what Virgin Money have done here and the world of internet banking would be a much better and safer place.  The only bank to Score an A rating.

 The Rest

 Barclays - B
https://www.ssllabs.com/ssltest/analyze.html?d=bank.barclays.co.uk&s=157.83.96.200
This is going to be a common theme… Barclays use the RC4 protocol, which SSL Labs do not like one bit and are advising that sites drop RC4 or see their score capped at B.
https://community.qualys.com/blogs/securitylabs/2015/04/23/ssl-labs-rc4-deprecation-plan

 Barclays have dropped support for the insecure SSL3 protocol and support both TLS 1.2 & 1.0.  They don’t currently support forward secrecy (more about that is available here: https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy) simply dropping RC4 would see them achieve an A-.

 Nationwide - B
https://www.ssllabs.com/ssltest/analyze.html?d=onlinebanking.nationwide.co.uk
Again, the grade is capped to a B for RC4 support.

 Smile - B
https://www.ssllabs.com/ssltest/analyze.html?d=banking.smile.co.uk
A current internet only bank (although part of the Co-op). It has the same RC4 support as Barclays & Nationwide though and for the same reasons is only a B.

 Co-operative Bank - B
https://www.ssllabs.com/ssltest/analyze.html?d=personal.co-operativebank.co.uk
Much the same as smile - not surprising as they are part of the same organisation.

 Metro Bank - B
https://www.ssllabs.com/ssltest/analyze.html?d=personal.metrobankonline.co.uk
Metro bank also supports RC4 but only at the bottom of a long list of other Cipher Suites. 

 Natwest - C
https://www.ssllabs.com/ssltest/analyze.html?d=nwolb.com
Lacking support for TLS1.1 & 1.2 and but does not support RC4!! Proof that you can drop RC4 support and your customers can still access your service.

 HSBC - C
https://www.ssllabs.com/ssltest/analyze.html?d=hsbc.co.uk&s=193.108.75.106&latest
Lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.

 Royal Bank of Scotland - C
https://www.ssllabs.com/ssltest/analyze.html?d=rbsdigital.com
Lacking support for TLS1.1 & 1.2 and but does not support RC4.

 Halifax - C (I personally think that Halifax should have been rated lower that C.)
https://www.ssllabs.com/ssltest/analyze.html?d=halifax-online.co.uk
Vulnerable to the SSL3 POOLE attack, also lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.
Lloyds Bank - C
https://www.ssllabs.com/ssltest/analyze.html?d=online.lloydsbank.co.uk
Another which is vulnerable to the SSL3 POOLE attack, also lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.

 First Direct - C
https://www.ssllabs....firstdirect.com
Lacking support for TLS1.1 & 1.2 and supporting RC4

 Clydesdale Bank - C
https://www.ssllabs.com/ssltest/analyze.html?d=home2.cbonline.co.uk
Lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.

 Marks & Spencer Bank - C
https://www.ssllabs.com/ssltest/analyze.html?d=www7.marksandspencer.com
Lacking support for TLS1.1 & 1.2 and supporting RC4

 TSB - C
https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fonline.tsb.co.uk
Lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.

 Handlesbanken - C
https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fonline.tsb.co.uk
Lacking support for TLS1.1 & 1.2 and supporting RC4

 Santander - C
https://www.ssllabs.com/ssltest/analyze.html?d=retail.santander.co.uk
Supports RC4 but also orders the Cipher suites badly, resulting in RC4 being used in modern browsers instead of a more secure alternative, this downgrades Santander from B to C (NOTE: From September onwards this may result in a downgrade to an F).

 Sainsburys Bank - C
https://www.ssllabs.com/ssltest/analyze.html?d=online.sainsburysbank.co.uk&s=195.171.195.119&latest
Lacking support for TLS1.1 & 1.2 and supporting both SSL3 and RC4.

 Failures

 Tesco Bank - F
https://www.ssllabs.com/ssltest/analyze.html?d=tescobank.com
Oh dear, oh dear that pesky POODLE.  This is an SSL/TLS problem which came to light in October 2014 (and December 2014 for TLS) and had all decent sysadmins patching their servers as soon as humanly possible.  The patching is simple and doesn’t require protracted down time… there is no excuse not to apply it and because of the severity of the consequences (particularly the TLS version), SSL Labs cap any site with this problem to a FAIL.

 If Tesco Bank fixed that, they would still be capped at C as for reasons only known to them, they only support TLS 1.0.

 John Lewis: Partnership Card - F
https://www.ssllabs.com/ssltest/analyze.html?d=secure.partnershipcard.co.uk
Another big red F - This time for insecure client side renegotiation, but again there is only support for TLS1.0 and SSL3.

 The Post Office - F
https://www.ssllabs.com/ssltest/analyze.html?d=pofssavecredit.co.uk
Vulnerable to both POODLE attacks, this site also only supports SSL3 and TLS1.0, it also supports RC4, abjectly bad implementation. 
Posted by at No comments:
Subscribe to: Posts (Atom)